php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30552 Apache Crash with a regular expression
Submitted: 2004-10-25 16:31 UTC Modified: 2005-01-04 11:50 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: cristic at interaktonline dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 4.3.9 OS: Windows XP Home Edition
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
39 - 20 = ?
Subscribe to this entry?

 
 [2004-10-25 16:31 UTC] cristic at interaktonline dot com
Description:
------------
Crashing configurations:

Apache 2.0.50
with PHP 4.3.7, 4.3.8, 4.3.9
or 
Apache 2.0.48
with PHP 4.3.6
OS Win XP Home Edition

The code below is not crashing with PHP 4.3.7, 4.3.8 or 4.3.9 and Apache 1.3.31 same OS.

Reproduce code:
---------------
<?php 
$sql = "SELECT sur_survey_ssr.id_ssr,sur_survey_ssr.name_ssr, sur_survey_ssr.welcome_ssr,sur_survey_ssr.thankyou_ssr, sur_survey_ssr.footer_ssr,sur_survey_ssr.header_ssr, sur_survey_ssr.startdate_ssr,sur_survey_ssr.enddate_ssr, sur_survey_ssr.url_ssr,sur_survey_ssr.active_ssr, count(s2.id_srs) as responses, count(s1.id_srs) as test FROM sur_survey_ssr  LEFT JOIN sur_response_srs s2 ON id_ssr=s2.idssr_srs LEFT JOIN sur_response_srs s1 ON id_ssr=s1.idssr_srs AND s1.test_srs=1 WHERE 1=1 GROUP BY sur_survey_ssr.id_ssr ORDER BY startdate_ssr DESC";

if (preg_match('/^(\s|\n|\r)*select(.|\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im', $sql, $matches)){
	die('a');
}else{
	die('b');
}
?>

Expected result:
----------------
- The regular expression should match any string which start with 'SELECT' SQL keyword and ending with a LIMIT SQL condition.


Actual result:
--------------
- When this specific string is specified, contained into the $sql variable, the apache process is crashing.

- Backtracking the problem I found out that the following regular expression is stop crashing the Web Server:

'/^(\s|\n|\r)*select(\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im'

- the crash appears immediate, its not an infinite loop




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-11-10 09:18 UTC] cmarin at interaktonline dot com
I'm back:

The bug appears to have a memory allocation issue when tries to split the string. A work around is the use of the 's' modifier.

The following RegExp having the same results works:

'/^(\s|\n|\r)*select.*limit\s+-?[0-9]+(\s|\n|\r)*(,(
\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/ims'
 [2005-01-04 11:50 UTC] sniper@php.net
Not PHP bug. (PCRE has limitations..)

 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Oct 25 11:00:01 2025 UTC